2001-03-18 02:13:33 +00:00
|
|
|
/* packet-dcerpc.c
|
|
|
|
* Routines for DCERPC packet disassembly
|
|
|
|
* Copyright 2001, Todd Sabin <tas@webspan.net>
|
|
|
|
*
|
2001-10-05 20:25:41 +00:00
|
|
|
* $Id: packet-dcerpc.c,v 1.12 2001/10/05 20:25:41 guy Exp $
|
2001-03-18 02:13:33 +00:00
|
|
|
*
|
|
|
|
* Ethereal - Network traffic analyzer
|
2001-07-11 01:25:45 +00:00
|
|
|
* By Gerald Combs <gerald@ethereal.com>
|
2001-03-18 02:13:33 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
|
|
#include <sys/types.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
#include <ctype.h>
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
#include "packet.h"
|
2001-04-19 23:39:27 +00:00
|
|
|
#include "packet-dcerpc.h"
|
2001-07-11 01:25:45 +00:00
|
|
|
#include "conversation.h"
|
2001-03-18 02:13:33 +00:00
|
|
|
|
|
|
|
static const value_string pckt_vals[] = {
|
|
|
|
{ 0, "Request"},
|
|
|
|
{ 1, "Ping"},
|
|
|
|
{ 2, "Response"},
|
|
|
|
{ 3, "Fault"},
|
|
|
|
{ 4, "Working"},
|
|
|
|
{ 5, "Nocall"},
|
|
|
|
{ 6, "Reject"},
|
|
|
|
{ 7, "Ack"},
|
|
|
|
{ 8, "Cl_cancel"},
|
|
|
|
{ 9, "Fack"},
|
|
|
|
{ 10, "Cancel_ack"},
|
|
|
|
{ 11, "Bind"},
|
|
|
|
{ 12, "Bind_ack"},
|
|
|
|
{ 13, "Bind_nak"},
|
|
|
|
{ 14, "Alter_context"},
|
|
|
|
{ 15, "Alter_context_resp"},
|
|
|
|
{ 16, "AUTH3?"},
|
|
|
|
{ 17, "Shutdown"},
|
|
|
|
{ 18, "Co_cancel"},
|
|
|
|
{ 19, "Orphaned"},
|
|
|
|
};
|
|
|
|
|
2001-09-30 13:48:20 +00:00
|
|
|
static const value_string drep_byteorder_vals[] = {
|
|
|
|
{ 0, "Big-endian" },
|
|
|
|
{ 1, "Little-endian" }
|
|
|
|
};
|
|
|
|
|
|
|
|
static const value_string drep_character_vals[] = {
|
|
|
|
{ 0, "ASCII" },
|
|
|
|
{ 1, "EBCDIC" }
|
|
|
|
};
|
|
|
|
|
|
|
|
static const value_string drep_fp_vals[] = {
|
|
|
|
{ 0, "IEEE" },
|
|
|
|
{ 1, "VAX" },
|
|
|
|
{ 2, "Cray" },
|
|
|
|
{ 3, "IBM" }
|
|
|
|
};
|
|
|
|
|
2001-03-18 02:13:33 +00:00
|
|
|
static const true_false_string flags_set_truth = {
|
|
|
|
"Set",
|
|
|
|
"Not set"
|
|
|
|
};
|
|
|
|
|
|
|
|
static int proto_dcerpc = -1;
|
|
|
|
|
|
|
|
/* field defines */
|
|
|
|
static int hf_dcerpc_ver = -1;
|
|
|
|
static int hf_dcerpc_ver_minor = -1;
|
|
|
|
static int hf_dcerpc_packet_type = -1;
|
|
|
|
static int hf_dcerpc_cn_flags = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_first_frag = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_last_frag = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_cancel_pending = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_reserved = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_mpx = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_dne = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_maybe = -1;
|
|
|
|
static int hf_dcerpc_cn_flags_object = -1;
|
2001-10-05 20:25:41 +00:00
|
|
|
static int hf_dcerpc_drep = -1;
|
|
|
|
static int hf_dcerpc_drep_byteorder = -1;
|
|
|
|
static int hf_dcerpc_drep_character = -1;
|
|
|
|
static int hf_dcerpc_drep_fp = -1;
|
2001-03-18 02:13:33 +00:00
|
|
|
static int hf_dcerpc_cn_frag_len = -1;
|
|
|
|
static int hf_dcerpc_cn_auth_len = -1;
|
|
|
|
static int hf_dcerpc_cn_call_id = -1;
|
2001-04-19 23:39:27 +00:00
|
|
|
static int hf_dcerpc_cn_max_xmit = -1;
|
|
|
|
static int hf_dcerpc_cn_max_recv = -1;
|
|
|
|
static int hf_dcerpc_cn_assoc_group = -1;
|
|
|
|
static int hf_dcerpc_cn_num_ctx_items = -1;
|
|
|
|
static int hf_dcerpc_cn_ctx_id = -1;
|
|
|
|
static int hf_dcerpc_cn_num_trans_items = -1;
|
|
|
|
static int hf_dcerpc_cn_bind_if_id = -1;
|
|
|
|
static int hf_dcerpc_cn_bind_if_ver = -1;
|
2001-07-11 01:25:45 +00:00
|
|
|
static int hf_dcerpc_cn_bind_if_ver_minor = -1;
|
2001-04-19 23:39:27 +00:00
|
|
|
static int hf_dcerpc_cn_bind_trans_id = -1;
|
|
|
|
static int hf_dcerpc_cn_bind_trans_ver = -1;
|
|
|
|
static int hf_dcerpc_cn_alloc_hint = -1;
|
|
|
|
static int hf_dcerpc_cn_sec_addr_len = -1;
|
|
|
|
static int hf_dcerpc_cn_num_results = -1;
|
|
|
|
static int hf_dcerpc_cn_ack_result = -1;
|
|
|
|
static int hf_dcerpc_cn_ack_reason = -1;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
static int hf_dcerpc_cn_ack_trans_id = -1;
|
|
|
|
static int hf_dcerpc_cn_ack_trans_ver = -1;
|
2001-07-11 01:25:45 +00:00
|
|
|
static int hf_dcerpc_cn_cancel_count = -1;
|
2001-09-28 22:43:57 +00:00
|
|
|
static int hf_dcerpc_auth_type = -1;
|
|
|
|
static int hf_dcerpc_auth_level = -1;
|
|
|
|
static int hf_dcerpc_auth_pad_len = -1;
|
|
|
|
static int hf_dcerpc_auth_rsrvd = -1;
|
|
|
|
static int hf_dcerpc_auth_ctx_id = -1;
|
2001-03-18 02:13:33 +00:00
|
|
|
static int hf_dcerpc_dg_flags1 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_rsrvd_01 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_last_frag = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_frag = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_nofack = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_maybe = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_idempotent = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_broadcast = -1;
|
|
|
|
static int hf_dcerpc_dg_flags1_rsrvd_80 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_01 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_cancel_pending = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_04 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_08 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_10 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_20 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_40 = -1;
|
|
|
|
static int hf_dcerpc_dg_flags2_rsrvd_80 = -1;
|
|
|
|
static int hf_dcerpc_dg_serial_hi = -1;
|
2001-04-19 23:39:27 +00:00
|
|
|
static int hf_dcerpc_obj_id = -1;
|
2001-03-18 02:13:33 +00:00
|
|
|
static int hf_dcerpc_dg_if_id = -1;
|
|
|
|
static int hf_dcerpc_dg_act_id = -1;
|
|
|
|
static int hf_dcerpc_dg_serial_lo = -1;
|
|
|
|
static int hf_dcerpc_dg_ahint = -1;
|
|
|
|
static int hf_dcerpc_dg_ihint = -1;
|
|
|
|
static int hf_dcerpc_dg_frag_len = -1;
|
|
|
|
static int hf_dcerpc_dg_frag_num = -1;
|
|
|
|
static int hf_dcerpc_dg_auth_proto = -1;
|
2001-04-19 23:39:27 +00:00
|
|
|
static int hf_dcerpc_opnum = -1;
|
2001-03-18 02:13:33 +00:00
|
|
|
static int hf_dcerpc_dg_seqnum = -1;
|
|
|
|
static int hf_dcerpc_dg_server_boot = -1;
|
|
|
|
static int hf_dcerpc_dg_if_ver = -1;
|
|
|
|
|
|
|
|
static gint ett_dcerpc = -1;
|
|
|
|
static gint ett_dcerpc_cn_flags = -1;
|
2001-10-05 20:25:41 +00:00
|
|
|
static gint ett_dcerpc_drep = -1;
|
2001-03-18 02:13:33 +00:00
|
|
|
static gint ett_dcerpc_dg_flags1 = -1;
|
|
|
|
static gint ett_dcerpc_dg_flags2 = -1;
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
/*
|
|
|
|
* Subdissectors
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* the registered subdissectors */
|
|
|
|
static GHashTable *dcerpc_uuids;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_uuid_key {
|
|
|
|
e_uuid_t uuid;
|
|
|
|
guint16 ver;
|
|
|
|
} dcerpc_uuid_key;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_uuid_value {
|
|
|
|
int proto;
|
|
|
|
int ett;
|
|
|
|
gchar *name;
|
|
|
|
dcerpc_sub_dissector *procs;
|
|
|
|
} dcerpc_uuid_value;
|
|
|
|
|
|
|
|
static gint
|
|
|
|
dcerpc_uuid_equal (gconstpointer k1, gconstpointer k2)
|
|
|
|
{
|
|
|
|
dcerpc_uuid_key *key1 = (dcerpc_uuid_key *)k1;
|
|
|
|
dcerpc_uuid_key *key2 = (dcerpc_uuid_key *)k2;
|
|
|
|
return ((memcmp (&key1->uuid, &key2->uuid, sizeof (e_uuid_t)) == 0)
|
|
|
|
&& (key1->ver == key2->ver));
|
|
|
|
}
|
|
|
|
|
|
|
|
static guint
|
|
|
|
dcerpc_uuid_hash (gconstpointer k)
|
|
|
|
{
|
|
|
|
dcerpc_uuid_key *key = (dcerpc_uuid_key *)k;
|
|
|
|
/* This isn't perfect, but the Data1 part of these is almost always
|
|
|
|
unique. */
|
|
|
|
return key->uuid.Data1;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dcerpc_init_uuid (int proto, int ett, e_uuid_t *uuid, guint16 ver,
|
|
|
|
dcerpc_sub_dissector *procs)
|
|
|
|
{
|
|
|
|
dcerpc_uuid_key *key = g_malloc (sizeof (*key));
|
|
|
|
dcerpc_uuid_value *value = g_malloc (sizeof (*value));
|
|
|
|
|
|
|
|
key->uuid = *uuid;
|
|
|
|
key->ver = ver;
|
|
|
|
|
|
|
|
value->proto = proto;
|
|
|
|
value->ett = ett;
|
|
|
|
value->name = proto_get_protocol_short_name (proto);
|
|
|
|
value->procs = procs;
|
|
|
|
|
|
|
|
g_hash_table_insert (dcerpc_uuids, key, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* To keep track of ctx_id mappings. Should really use some
|
|
|
|
* generic conversation support instead.
|
|
|
|
*/
|
|
|
|
static GHashTable *dcerpc_convs;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_conv_key {
|
|
|
|
conversation_t *conv;
|
|
|
|
guint16 ctx_id;
|
|
|
|
} dcerpc_conv_key;
|
|
|
|
|
|
|
|
static GMemChunk *dcerpc_conv_key_chunk;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_conv_value {
|
|
|
|
e_uuid_t uuid;
|
|
|
|
guint16 ver;
|
|
|
|
} dcerpc_conv_value;
|
|
|
|
|
|
|
|
static GMemChunk *dcerpc_conv_value_chunk;
|
|
|
|
|
|
|
|
static gint
|
|
|
|
dcerpc_conv_equal (gconstpointer k1, gconstpointer k2)
|
|
|
|
{
|
|
|
|
dcerpc_conv_key *key1 = (dcerpc_conv_key *)k1;
|
|
|
|
dcerpc_conv_key *key2 = (dcerpc_conv_key *)k2;
|
|
|
|
return (key1->conv == key2->conv
|
|
|
|
&& key1->ctx_id == key2->ctx_id);
|
|
|
|
}
|
|
|
|
|
|
|
|
static guint
|
|
|
|
dcerpc_conv_hash (gconstpointer k)
|
|
|
|
{
|
|
|
|
dcerpc_conv_key *key = (dcerpc_conv_key *)k;
|
|
|
|
return ((guint)key->conv) + key->ctx_id;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* To keep track of callid mappings. Should really use some generic
|
|
|
|
* conversation support instead.
|
|
|
|
*/
|
|
|
|
static GHashTable *dcerpc_calls;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_call_key {
|
|
|
|
conversation_t *conv;
|
|
|
|
guint32 call_id;
|
|
|
|
} dcerpc_call_key;
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
static GMemChunk *dcerpc_call_key_chunk;
|
|
|
|
|
|
|
|
typedef struct _dcerpc_call_value {
|
|
|
|
e_uuid_t uuid;
|
|
|
|
guint16 ver;
|
|
|
|
guint16 opnum;
|
|
|
|
} dcerpc_call_value;
|
|
|
|
|
|
|
|
static GMemChunk *dcerpc_call_value_chunk;
|
|
|
|
|
|
|
|
static gint
|
|
|
|
dcerpc_call_equal (gconstpointer k1, gconstpointer k2)
|
|
|
|
{
|
|
|
|
dcerpc_call_key *key1 = (dcerpc_call_key *)k1;
|
|
|
|
dcerpc_call_key *key2 = (dcerpc_call_key *)k2;
|
|
|
|
return (key1->conv == key2->conv
|
|
|
|
&& key1->call_id == key2->call_id);
|
|
|
|
}
|
|
|
|
|
|
|
|
static guint
|
|
|
|
dcerpc_call_hash (gconstpointer k)
|
|
|
|
{
|
|
|
|
dcerpc_call_key *key = (dcerpc_call_key *)k;
|
|
|
|
return ((guint32)key->conv) ^ key->call_id;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dcerpc_call_add_map (guint32 call_id, conversation_t *conv,
|
|
|
|
guint16 opnum, guint16 ver, e_uuid_t *uuid)
|
|
|
|
{
|
|
|
|
dcerpc_call_key *key = g_mem_chunk_alloc (dcerpc_call_key_chunk);
|
|
|
|
dcerpc_call_value *value = g_mem_chunk_alloc (dcerpc_call_value_chunk);
|
|
|
|
|
|
|
|
key->call_id = call_id;
|
|
|
|
key->conv = conv;
|
|
|
|
value->uuid = *uuid;
|
|
|
|
value->ver = ver;
|
|
|
|
value->opnum = opnum;
|
|
|
|
g_hash_table_insert (dcerpc_calls, key, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
static dcerpc_call_value*
|
|
|
|
dcerpc_call_lookup (guint32 call_id, conversation_t *conv)
|
|
|
|
{
|
|
|
|
dcerpc_call_key key;
|
|
|
|
|
|
|
|
key.call_id = call_id;
|
|
|
|
key.conv = conv;
|
|
|
|
return g_hash_table_lookup (dcerpc_calls, &key);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Utility functions. Modeled after packet-rpc.c
|
|
|
|
*/
|
|
|
|
|
|
|
|
int
|
|
|
|
dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
|
|
proto_tree *tree, char *drep,
|
|
|
|
int hfindex, guint8 *pdata)
|
|
|
|
{
|
|
|
|
guint8 data;
|
|
|
|
|
|
|
|
data = tvb_get_guint8 (tvb, offset);
|
|
|
|
if (tree) {
|
|
|
|
proto_tree_add_item (tree, hfindex, tvb, offset, 1, (drep[0] & 0x10));
|
|
|
|
}
|
|
|
|
if (pdata)
|
|
|
|
*pdata = data;
|
|
|
|
return offset + 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
|
|
proto_tree *tree, char *drep,
|
|
|
|
int hfindex, guint16 *pdata)
|
|
|
|
{
|
|
|
|
guint16 data;
|
|
|
|
|
|
|
|
data = ((drep[0] & 0x10)
|
|
|
|
? tvb_get_letohs (tvb, offset)
|
|
|
|
: tvb_get_ntohs (tvb, offset));
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
proto_tree_add_item (tree, hfindex, tvb, offset, 2, (drep[0] & 0x10));
|
|
|
|
}
|
|
|
|
if (pdata)
|
|
|
|
*pdata = data;
|
|
|
|
return offset + 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
|
|
proto_tree *tree, char *drep,
|
|
|
|
int hfindex, guint32 *pdata)
|
|
|
|
{
|
|
|
|
guint32 data;
|
|
|
|
|
|
|
|
data = ((drep[0] & 0x10)
|
|
|
|
? tvb_get_letohl (tvb, offset)
|
|
|
|
: tvb_get_ntohl (tvb, offset));
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
proto_tree_add_item (tree, hfindex, tvb, offset, 4, (drep[0] & 0x10));
|
|
|
|
}
|
|
|
|
if (pdata)
|
|
|
|
*pdata = data;
|
|
|
|
return offset+4;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* a couple simpler things
|
|
|
|
*/
|
2001-03-18 02:13:33 +00:00
|
|
|
guint16
|
|
|
|
dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, char *drep)
|
|
|
|
{
|
|
|
|
if (drep[0] & 0x10) {
|
|
|
|
return tvb_get_letohs (tvb, offset);
|
|
|
|
} else {
|
|
|
|
return tvb_get_ntohs (tvb, offset);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
guint32
|
|
|
|
dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, char *drep)
|
|
|
|
{
|
|
|
|
if (drep[0] & 0x10) {
|
|
|
|
return tvb_get_letohl (tvb, offset);
|
|
|
|
} else {
|
|
|
|
return tvb_get_ntohl (tvb, offset);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, char *drep, e_uuid_t *uuid)
|
|
|
|
{
|
2001-04-27 01:27:37 +00:00
|
|
|
unsigned int i;
|
2001-03-18 02:13:33 +00:00
|
|
|
uuid->Data1 = dcerpc_tvb_get_ntohl (tvb, offset, drep);
|
|
|
|
uuid->Data2 = dcerpc_tvb_get_ntohs (tvb, offset+4, drep);
|
|
|
|
uuid->Data3 = dcerpc_tvb_get_ntohs (tvb, offset+6, drep);
|
|
|
|
|
|
|
|
for (i=0; i<sizeof (uuid->Data4); i++) {
|
|
|
|
uuid->Data4[i] = tvb_get_guint8 (tvb, offset+8+i);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
static int
|
|
|
|
dcerpc_try_handoff (packet_info *pinfo, proto_tree *tree,
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
proto_tree *dcerpc_tree,
|
2001-07-11 01:25:45 +00:00
|
|
|
tvbuff_t *tvb, gint offset,
|
|
|
|
e_uuid_t *uuid, guint16 ver,
|
|
|
|
guint16 opnum, gboolean is_rqst)
|
|
|
|
{
|
|
|
|
dcerpc_uuid_key key;
|
|
|
|
dcerpc_uuid_value *sub_proto;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
int length;
|
2001-07-11 01:25:45 +00:00
|
|
|
proto_item *sub_item;
|
|
|
|
proto_tree *sub_tree;
|
|
|
|
dcerpc_sub_dissector *proc;
|
|
|
|
gchar *name = NULL;
|
|
|
|
|
|
|
|
key.uuid = *uuid;
|
|
|
|
key.ver = ver;
|
|
|
|
|
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
if ((sub_proto = g_hash_table_lookup (dcerpc_uuids, &key)) == 0) {
|
|
|
|
length = tvb_length_remaining (tvb, offset);
|
|
|
|
if (length > 0) {
|
|
|
|
proto_tree_add_text (dcerpc_tree, tvb, offset, length,
|
|
|
|
"Stub data (%d byte%s)", length,
|
|
|
|
plurality(length, "", "s"));
|
|
|
|
}
|
2001-07-11 01:25:45 +00:00
|
|
|
return -1;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
}
|
2001-07-11 01:25:45 +00:00
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
sub_item = proto_tree_add_item (tree, sub_proto->proto, tvb, offset,
|
|
|
|
tvb_length (tvb) - offset, FALSE);
|
|
|
|
if (sub_item) {
|
|
|
|
sub_tree = proto_item_add_subtree (sub_item, sub_proto->ett);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
for (proc = sub_proto->procs; proc->name; proc++) {
|
|
|
|
if (proc->num == opnum) {
|
|
|
|
name = proc->name;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!name)
|
|
|
|
name = "Unknown?!";
|
|
|
|
|
|
|
|
if (check_col (pinfo->fd, COL_INFO)) {
|
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "%s %s:%s(...)",
|
|
|
|
is_rqst ? "rqst" : "rply",
|
|
|
|
sub_proto->name, name);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (check_col (pinfo->fd, COL_PROTOCOL)) {
|
|
|
|
col_set_str (pinfo->fd, COL_PROTOCOL, sub_proto->name);
|
|
|
|
}
|
2001-07-11 04:49:34 +00:00
|
|
|
/* FIXME: call approp. dissector */
|
2001-07-11 01:25:45 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
static int
|
|
|
|
dissect_dcerpc_cn_auth (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tree,
|
|
|
|
e_dce_cn_common_hdr_t *hdr)
|
|
|
|
{
|
|
|
|
int offset;
|
|
|
|
guint8 auth_pad_len;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
/*
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
* The authentication information is at the *end* of the PDU; in
|
|
|
|
* request and response PDUs, the request and response stub data
|
|
|
|
* come before it.
|
|
|
|
*
|
2001-09-28 22:43:57 +00:00
|
|
|
* If the full packet is here, and we've got an auth len, and it's
|
|
|
|
* valid, then dissect the auth info
|
|
|
|
*/
|
|
|
|
if (tvb_length (tvb) >= hdr->frag_len
|
|
|
|
&& hdr->auth_len
|
|
|
|
&& (hdr->auth_len + 8 <= hdr->frag_len)) {
|
|
|
|
|
|
|
|
offset = hdr->frag_len - (hdr->auth_len + 8);
|
|
|
|
|
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_auth_type, NULL);
|
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_auth_level, NULL);
|
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_auth_pad_len, &auth_pad_len);
|
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_auth_rsrvd, NULL);
|
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_auth_ctx_id, NULL);
|
|
|
|
|
|
|
|
proto_tree_add_text (dcerpc_tree, tvb, offset, hdr->auth_len, "Auth Data");
|
|
|
|
|
|
|
|
/* figure out where the auth padding starts */
|
|
|
|
offset = hdr->frag_len - (hdr->auth_len + 8 + auth_pad_len);
|
|
|
|
if (offset > 0 && auth_pad_len) {
|
|
|
|
proto_tree_add_text (dcerpc_tree, tvb, offset,
|
|
|
|
auth_pad_len, "Auth padding");
|
|
|
|
return hdr->auth_len + 8 + auth_pad_len;
|
|
|
|
} else {
|
|
|
|
return hdr->auth_len + 8;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Connection oriented packet types
|
|
|
|
*/
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
static void
|
|
|
|
dissect_dcerpc_cn_bind (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tree,
|
|
|
|
e_dce_cn_common_hdr_t *hdr)
|
|
|
|
{
|
2001-07-11 01:25:45 +00:00
|
|
|
conversation_t *conv = NULL;
|
|
|
|
dcerpc_conv_key *key;
|
|
|
|
dcerpc_conv_value *value;
|
2001-04-19 23:39:27 +00:00
|
|
|
guint8 num_ctx_items;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
guint i;
|
|
|
|
gboolean saw_ctx_item = FALSE;
|
2001-04-19 23:39:27 +00:00
|
|
|
guint16 ctx_id;
|
|
|
|
guint16 num_trans_items;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
guint j;
|
2001-04-19 23:39:27 +00:00
|
|
|
e_uuid_t if_id;
|
|
|
|
e_uuid_t trans_id;
|
2001-07-11 01:25:45 +00:00
|
|
|
guint32 trans_ver;
|
|
|
|
guint16 if_ver, if_ver_minor;
|
2001-04-19 23:39:27 +00:00
|
|
|
int offset = 16;
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_max_xmit, NULL);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_max_recv, NULL);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_assoc_group, NULL);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_num_ctx_items, &num_ctx_items);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
|
|
|
/* padding */
|
|
|
|
offset += 3;
|
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
for (i = 0; i < num_ctx_items; i++) {
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_ctx_id, &ctx_id);
|
|
|
|
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_num_trans_items, &num_trans_items);
|
|
|
|
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr->drep, &if_id);
|
|
|
|
if (dcerpc_tree) {
|
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_cn_bind_if_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Interface UUID: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
if_id.Data1, if_id.Data2, if_id.Data3,
|
|
|
|
if_id.Data4[0], if_id.Data4[1],
|
|
|
|
if_id.Data4[2], if_id.Data4[3],
|
|
|
|
if_id.Data4[4], if_id.Data4[5],
|
|
|
|
if_id.Data4[6], if_id.Data4[7]);
|
|
|
|
}
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
if (hdr->drep[0] & 0x10) {
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_bind_if_ver, &if_ver);
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_bind_if_ver_minor, &if_ver_minor);
|
|
|
|
} else {
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_bind_if_ver_minor, &if_ver_minor);
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_bind_if_ver, &if_ver);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!saw_ctx_item) {
|
|
|
|
conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
|
|
|
if (conv == NULL) {
|
|
|
|
conv = conversation_new (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
key = g_mem_chunk_alloc (dcerpc_conv_key_chunk);
|
|
|
|
key->conv = conv;
|
|
|
|
key->ctx_id = ctx_id;
|
|
|
|
|
|
|
|
value = g_mem_chunk_alloc (dcerpc_conv_value_chunk);
|
|
|
|
value->uuid = if_id;
|
|
|
|
value->ver = if_ver;
|
|
|
|
|
|
|
|
g_hash_table_insert (dcerpc_convs, key, value);
|
|
|
|
|
|
|
|
if (check_col (pinfo->fd, COL_INFO)) {
|
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "%s: UUID %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x ver %d.%d",
|
|
|
|
hdr->ptype == PDU_BIND ? "Bind" : "Alter Ctx",
|
|
|
|
if_id.Data1, if_id.Data2, if_id.Data3,
|
|
|
|
if_id.Data4[0], if_id.Data4[1],
|
|
|
|
if_id.Data4[2], if_id.Data4[3],
|
|
|
|
if_id.Data4[4], if_id.Data4[5],
|
|
|
|
if_id.Data4[6], if_id.Data4[7],
|
|
|
|
if_ver, if_ver_minor);
|
|
|
|
}
|
|
|
|
saw_ctx_item = TRUE;
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
for (j = 0; j < num_trans_items; j++) {
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr->drep, &trans_id);
|
|
|
|
if (dcerpc_tree) {
|
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_cn_bind_trans_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Transfer Syntax: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
trans_id.Data1, trans_id.Data2, trans_id.Data3,
|
|
|
|
trans_id.Data4[0], trans_id.Data4[1],
|
|
|
|
trans_id.Data4[2], trans_id.Data4[3],
|
|
|
|
trans_id.Data4[4], trans_id.Data4[5],
|
|
|
|
trans_id.Data4[6], trans_id.Data4[7]);
|
|
|
|
}
|
|
|
|
offset += 16;
|
2001-04-19 23:39:27 +00:00
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_bind_trans_ver, &trans_ver);
|
|
|
|
}
|
2001-07-11 01:25:45 +00:00
|
|
|
}
|
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
dissect_dcerpc_cn_auth (tvb, pinfo, dcerpc_tree, hdr);
|
2001-04-19 23:39:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_dcerpc_cn_bind_ack (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tree,
|
|
|
|
e_dce_cn_common_hdr_t *hdr)
|
|
|
|
{
|
|
|
|
guint16 max_xmit, max_recv;
|
|
|
|
guint16 sec_addr_len;
|
|
|
|
guint8 num_results;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
guint i;
|
|
|
|
guint16 result;
|
|
|
|
guint16 reason;
|
|
|
|
e_uuid_t trans_id;
|
|
|
|
guint32 trans_ver;
|
2001-04-19 23:39:27 +00:00
|
|
|
|
|
|
|
int offset = 16;
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_max_xmit, &max_xmit);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_max_recv, &max_recv);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_assoc_group, NULL);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_sec_addr_len, &sec_addr_len);
|
|
|
|
offset += sec_addr_len;
|
2001-04-19 23:39:27 +00:00
|
|
|
|
|
|
|
if (offset % 4) {
|
|
|
|
offset += 4 - offset % 4;
|
|
|
|
}
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_num_results, &num_results);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
|
|
|
/* padding */
|
|
|
|
offset += 3;
|
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
for (i = 0; i < num_results; i++) {
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree,
|
|
|
|
hdr->drep, hf_dcerpc_cn_ack_result,
|
|
|
|
&result);
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree,
|
|
|
|
hdr->drep, hf_dcerpc_cn_ack_reason,
|
|
|
|
&reason);
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr->drep, &trans_id);
|
|
|
|
if (dcerpc_tree) {
|
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_cn_ack_trans_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Transfer Syntax: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
trans_id.Data1, trans_id.Data2, trans_id.Data3,
|
|
|
|
trans_id.Data4[0], trans_id.Data4[1],
|
|
|
|
trans_id.Data4[2], trans_id.Data4[3],
|
|
|
|
trans_id.Data4[4], trans_id.Data4[5],
|
|
|
|
trans_id.Data4[6], trans_id.Data4[7]);
|
|
|
|
}
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_ack_trans_ver, &trans_ver);
|
2001-04-19 23:39:27 +00:00
|
|
|
}
|
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
dissect_dcerpc_cn_auth (tvb, pinfo, dcerpc_tree, hdr);
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
if (check_col (pinfo->fd, COL_INFO)) {
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
if (num_results != 0 && result == 0) {
|
2001-07-11 01:25:45 +00:00
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "%s ack: accept max_xmit: %d max_recv: %d",
|
|
|
|
hdr->ptype == PDU_BIND_ACK ? "Bind" : "Alter ctx",
|
|
|
|
max_xmit, max_recv);
|
2001-04-19 23:39:27 +00:00
|
|
|
} else {
|
|
|
|
/* FIXME: should put in reason */
|
2001-07-11 01:25:45 +00:00
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "%s ack: %s",
|
|
|
|
hdr->ptype == PDU_BIND_ACK ? "Bind" : "Alter ctx",
|
|
|
|
result == 1 ? "User reject" :
|
|
|
|
result == 2 ? "Provider reject" :
|
|
|
|
"Unknown");
|
2001-04-19 23:39:27 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_dcerpc_cn_rqst (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tree,
|
2001-07-11 01:25:45 +00:00
|
|
|
proto_tree *tree, e_dce_cn_common_hdr_t *hdr)
|
2001-04-19 23:39:27 +00:00
|
|
|
{
|
2001-07-11 01:25:45 +00:00
|
|
|
conversation_t *conv;
|
2001-04-19 23:39:27 +00:00
|
|
|
guint16 ctx_id;
|
|
|
|
guint16 opnum;
|
|
|
|
e_uuid_t obj_id;
|
2001-09-28 22:43:57 +00:00
|
|
|
int auth_sz = 0;
|
2001-04-19 23:39:27 +00:00
|
|
|
int offset = 16;
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_alloc_hint, NULL);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_ctx_id, &ctx_id);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_opnum, &opnum);
|
2001-04-19 23:39:27 +00:00
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
if (check_col (pinfo->fd, COL_INFO)) {
|
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "Request: opnum: %d ctx_id:%d",
|
|
|
|
opnum, ctx_id);
|
|
|
|
}
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
if (hdr->flags & 0x80) {
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr->drep, &obj_id);
|
2001-07-11 01:25:45 +00:00
|
|
|
if (dcerpc_tree) {
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_obj_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Object UUID: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
obj_id.Data1, obj_id.Data2, obj_id.Data3,
|
|
|
|
obj_id.Data4[0],
|
|
|
|
obj_id.Data4[1],
|
|
|
|
obj_id.Data4[2],
|
|
|
|
obj_id.Data4[3],
|
|
|
|
obj_id.Data4[4],
|
|
|
|
obj_id.Data4[5],
|
|
|
|
obj_id.Data4[6],
|
|
|
|
obj_id.Data4[7]);
|
2001-07-11 01:25:45 +00:00
|
|
|
}
|
|
|
|
offset += 16;
|
|
|
|
}
|
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
auth_sz = dissect_dcerpc_cn_auth (tvb, pinfo, dcerpc_tree, hdr);
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
|
|
|
if (!conv) {
|
|
|
|
|
|
|
|
} else {
|
|
|
|
dcerpc_conv_key key;
|
|
|
|
dcerpc_conv_value *value;
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
int length, reported_length, stub_length;
|
2001-07-11 01:25:45 +00:00
|
|
|
|
|
|
|
key.conv = conv;
|
|
|
|
key.ctx_id = ctx_id;
|
|
|
|
|
|
|
|
value = g_hash_table_lookup (dcerpc_convs, &key);
|
|
|
|
if (value) {
|
|
|
|
/* add an entry for this call, so we can catch the reply */
|
|
|
|
dcerpc_call_add_map (hdr->call_id, conv, opnum,
|
|
|
|
value->ver, &value->uuid);
|
|
|
|
|
|
|
|
/* handoff this call */
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
length = tvb_length_remaining(tvb, offset);
|
|
|
|
reported_length = tvb_reported_length_remaining(tvb, offset);
|
|
|
|
stub_length = hdr->frag_len - offset - auth_sz;
|
|
|
|
if (length > stub_length)
|
|
|
|
length = stub_length;
|
|
|
|
if (reported_length > stub_length)
|
|
|
|
reported_length = stub_length;
|
|
|
|
dcerpc_try_handoff (pinfo, tree, dcerpc_tree,
|
|
|
|
tvb_new_subset (tvb, offset, length,
|
|
|
|
reported_length),
|
|
|
|
0, &value->uuid, value->ver,
|
2001-07-11 01:25:45 +00:00
|
|
|
opnum, TRUE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_dcerpc_cn_resp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tree,
|
|
|
|
proto_tree *tree, e_dce_cn_common_hdr_t *hdr)
|
|
|
|
{
|
|
|
|
conversation_t *conv;
|
|
|
|
guint16 ctx_id;
|
2001-09-28 22:43:57 +00:00
|
|
|
int auth_sz = 0;
|
2001-07-11 01:25:45 +00:00
|
|
|
int offset = 16;
|
|
|
|
|
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_alloc_hint, NULL);
|
|
|
|
|
|
|
|
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_ctx_id, &ctx_id);
|
|
|
|
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
if (check_col (pinfo->fd, COL_INFO)) {
|
|
|
|
col_add_fstr (pinfo->fd, COL_INFO, "Response: call_id: %d ctx_id:%d",
|
|
|
|
hdr->call_id, ctx_id);
|
|
|
|
}
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
|
|
|
|
hf_dcerpc_cn_cancel_count, NULL);
|
|
|
|
/* padding */
|
|
|
|
offset++;
|
|
|
|
|
2001-09-28 22:43:57 +00:00
|
|
|
auth_sz = dissect_dcerpc_cn_auth (tvb, pinfo, dcerpc_tree, hdr);
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
|
|
|
if (!conv) {
|
|
|
|
/* no point in creating one here, really */
|
|
|
|
} else {
|
|
|
|
dcerpc_call_value *value = dcerpc_call_lookup (hdr->call_id, conv);
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
int length, reported_length, stub_length;
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
if (value) {
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
/* handoff this call */
|
|
|
|
length = tvb_length_remaining(tvb, offset);
|
|
|
|
reported_length = tvb_reported_length_remaining(tvb, offset);
|
|
|
|
stub_length = hdr->frag_len - offset - auth_sz;
|
|
|
|
if (length > stub_length)
|
|
|
|
length = stub_length;
|
|
|
|
if (reported_length > stub_length)
|
|
|
|
reported_length = stub_length;
|
|
|
|
dcerpc_try_handoff (pinfo, tree, dcerpc_tree,
|
|
|
|
tvb_new_subset (tvb, offset, length,
|
|
|
|
reported_length),
|
|
|
|
0, &value->uuid, value->ver,
|
2001-07-11 01:25:45 +00:00
|
|
|
value->opnum, FALSE);
|
2001-04-19 23:39:27 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-03-18 02:13:33 +00:00
|
|
|
/*
|
2001-03-18 02:34:50 +00:00
|
|
|
* DCERPC dissector for connection oriented calls
|
2001-03-18 02:13:33 +00:00
|
|
|
*/
|
|
|
|
static gboolean
|
|
|
|
dissect_dcerpc_cn (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
2001-09-28 22:43:57 +00:00
|
|
|
static char nulls[4] = { 0 };
|
2001-03-18 02:13:33 +00:00
|
|
|
proto_item *ti = NULL;
|
|
|
|
proto_item *tf = NULL;
|
|
|
|
proto_tree *dcerpc_tree = NULL;
|
|
|
|
proto_tree *cn_flags_tree = NULL;
|
2001-10-05 20:25:41 +00:00
|
|
|
proto_tree *drep_tree = NULL;
|
2001-04-19 23:39:27 +00:00
|
|
|
e_dce_cn_common_hdr_t hdr;
|
2001-03-18 02:13:33 +00:00
|
|
|
int offset = 0;
|
|
|
|
|
|
|
|
/*
|
2001-03-18 02:34:50 +00:00
|
|
|
* Check if this looks like a C/O DCERPC call
|
2001-03-18 02:13:33 +00:00
|
|
|
*/
|
2001-09-28 22:43:57 +00:00
|
|
|
/*
|
|
|
|
* when done over nbt, dcerpc requests are padded with 4 bytes of null
|
|
|
|
* data for some reason.
|
|
|
|
*/
|
|
|
|
if (tvb_bytes_exist (tvb, 0, 4) && tvb_memeql (tvb, 0, nulls, 4) == 0) {
|
|
|
|
tvb = tvb_new_subset (tvb, 4, -1, -1);
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
if (!tvb_bytes_exist (tvb, 0, sizeof (hdr))) {
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.rpc_ver = tvb_get_guint8 (tvb, offset++);
|
|
|
|
if (hdr.rpc_ver != 5)
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.rpc_ver_minor = tvb_get_guint8 (tvb, offset++);
|
|
|
|
if (hdr.rpc_ver_minor != 0 && hdr.rpc_ver_minor != 1)
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.ptype = tvb_get_guint8 (tvb, offset++);
|
|
|
|
if (hdr.ptype > 19)
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
if (check_col (pinfo->fd, COL_PROTOCOL))
|
2001-03-18 02:34:50 +00:00
|
|
|
col_set_str (pinfo->fd, COL_PROTOCOL, "DCERPC");
|
2001-03-18 02:13:33 +00:00
|
|
|
if (check_col (pinfo->fd, COL_INFO))
|
2001-04-19 23:39:27 +00:00
|
|
|
col_set_str (pinfo->fd, COL_INFO, pckt_vals[hdr.ptype].strptr);
|
|
|
|
|
|
|
|
hdr.flags = tvb_get_guint8 (tvb, offset++);
|
|
|
|
tvb_memcpy (tvb, (guint8 *)hdr.drep, offset, sizeof (hdr.drep));
|
|
|
|
offset += sizeof (hdr.drep);
|
|
|
|
|
|
|
|
hdr.frag_len = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.auth_len = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.call_id = dcerpc_tvb_get_ntohl (tvb, offset, hdr.drep);
|
|
|
|
offset += 4;
|
|
|
|
|
2001-03-18 02:13:33 +00:00
|
|
|
if (tree) {
|
|
|
|
ti = proto_tree_add_item (tree, proto_dcerpc, tvb, 0, tvb_length(tvb), FALSE);
|
|
|
|
if (ti) {
|
|
|
|
dcerpc_tree = proto_item_add_subtree (ti, ett_dcerpc);
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
offset = 0;
|
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_ver, tvb, offset++, 1, hdr.rpc_ver);
|
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_ver_minor, tvb, offset++, 1, hdr.rpc_ver_minor);
|
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_packet_type, tvb, offset++, 1, hdr.ptype);
|
|
|
|
tf = proto_tree_add_uint (dcerpc_tree, hf_dcerpc_cn_flags, tvb, offset, 1, hdr.flags);
|
2001-03-18 02:13:33 +00:00
|
|
|
cn_flags_tree = proto_item_add_subtree (tf, ett_dcerpc_cn_flags);
|
|
|
|
if (cn_flags_tree) {
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_first_frag, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_last_frag, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_cancel_pending, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_reserved, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_mpx, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_dne, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_maybe, tvb, offset, 1, hdr.flags);
|
|
|
|
proto_tree_add_boolean (cn_flags_tree, hf_dcerpc_cn_flags_object, tvb, offset, 1, hdr.flags);
|
2001-03-18 02:13:33 +00:00
|
|
|
}
|
|
|
|
offset++;
|
|
|
|
|
2001-10-05 20:25:41 +00:00
|
|
|
tf = proto_tree_add_bytes (dcerpc_tree, hf_dcerpc_drep, tvb, offset, 4, hdr.drep);
|
|
|
|
drep_tree = proto_item_add_subtree (tf, ett_dcerpc_drep);
|
|
|
|
if (drep_tree) {
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, hdr.drep[0] >> 4);
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_character, tvb, offset, 1, hdr.drep[0] & 0x0f);
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_fp, tvb, offset+1, 1, hdr.drep[1]);
|
2001-09-30 13:48:20 +00:00
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
offset += sizeof (hdr.drep);
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_cn_frag_len, tvb, offset, 2, hdr.frag_len);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_cn_auth_len, tvb, offset, 2, hdr.auth_len);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_cn_call_id, tvb, offset, 4, hdr.call_id);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 4;
|
2001-04-19 23:39:27 +00:00
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Packet type specific stuff is next.
|
|
|
|
*/
|
|
|
|
switch (hdr.ptype) {
|
|
|
|
case PDU_BIND:
|
2001-07-11 01:25:45 +00:00
|
|
|
case PDU_ALTER:
|
2001-04-19 23:39:27 +00:00
|
|
|
dissect_dcerpc_cn_bind (tvb, pinfo, dcerpc_tree, &hdr);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PDU_BIND_ACK:
|
2001-07-11 01:25:45 +00:00
|
|
|
case PDU_ALTER_ACK:
|
2001-04-19 23:39:27 +00:00
|
|
|
dissect_dcerpc_cn_bind_ack (tvb, pinfo, dcerpc_tree, &hdr);
|
|
|
|
break;
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
case PDU_REQ:
|
2001-07-11 01:25:45 +00:00
|
|
|
dissect_dcerpc_cn_rqst (tvb, pinfo, dcerpc_tree, tree, &hdr);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PDU_RESP:
|
|
|
|
dissect_dcerpc_cn_resp (tvb, pinfo, dcerpc_tree, tree, &hdr);
|
2001-04-19 23:39:27 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2001-09-28 22:43:57 +00:00
|
|
|
/* might as well dissect the auth info */
|
|
|
|
dissect_dcerpc_cn_auth (tvb, pinfo, dcerpc_tree, &hdr);
|
2001-04-19 23:39:27 +00:00
|
|
|
break;
|
2001-03-18 02:13:33 +00:00
|
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2001-03-18 02:34:50 +00:00
|
|
|
* DCERPC dissector for connectionless calls
|
2001-03-18 02:13:33 +00:00
|
|
|
*/
|
|
|
|
static gboolean
|
|
|
|
dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
|
|
|
proto_item *ti = NULL;
|
|
|
|
proto_item *tf = NULL;
|
|
|
|
proto_tree *dcerpc_tree = NULL;
|
|
|
|
proto_tree *dg_flags1_tree = NULL;
|
|
|
|
proto_tree *dg_flags2_tree = NULL;
|
2001-10-05 20:25:41 +00:00
|
|
|
proto_tree *drep_tree = NULL;
|
2001-04-19 23:39:27 +00:00
|
|
|
e_dce_dg_common_hdr_t hdr;
|
2001-03-18 02:13:33 +00:00
|
|
|
int offset = 0;
|
2001-07-11 01:25:45 +00:00
|
|
|
conversation_t *conv;
|
2001-03-18 02:13:33 +00:00
|
|
|
|
|
|
|
/*
|
2001-03-18 02:34:50 +00:00
|
|
|
* Check if this looks like a CL DCERPC call. All dg packets
|
2001-03-18 02:13:33 +00:00
|
|
|
* have an 80 byte header on them. Which starts with
|
|
|
|
* version (4), pkt_type.
|
|
|
|
*/
|
2001-04-19 23:39:27 +00:00
|
|
|
if (!tvb_bytes_exist (tvb, 0, sizeof (hdr))) {
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.rpc_ver = tvb_get_guint8 (tvb, offset++);
|
|
|
|
if (hdr.rpc_ver != 4)
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.ptype = tvb_get_guint8 (tvb, offset++);
|
|
|
|
if (hdr.ptype > 19)
|
2001-03-18 02:13:33 +00:00
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
if (check_col (pinfo->fd, COL_PROTOCOL))
|
2001-03-18 02:34:50 +00:00
|
|
|
col_set_str (pinfo->fd, COL_PROTOCOL, "DCERPC");
|
2001-03-18 02:13:33 +00:00
|
|
|
if (check_col (pinfo->fd, COL_INFO))
|
2001-04-19 23:39:27 +00:00
|
|
|
col_set_str (pinfo->fd, COL_INFO, pckt_vals[hdr.ptype].strptr);
|
|
|
|
|
|
|
|
hdr.flags1 = tvb_get_guint8 (tvb, offset++);
|
|
|
|
hdr.flags2 = tvb_get_guint8 (tvb, offset++);
|
|
|
|
tvb_memcpy (tvb, (guint8 *)hdr.drep, offset, sizeof (hdr.drep));
|
|
|
|
offset += sizeof (hdr.drep);
|
|
|
|
hdr.serial_hi = tvb_get_guint8 (tvb, offset++);
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr.drep, &hdr.obj_id);
|
|
|
|
offset += 16;
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr.drep, &hdr.if_id);
|
|
|
|
offset += 16;
|
|
|
|
dcerpc_tvb_get_uuid (tvb, offset, hdr.drep, &hdr.act_id);
|
|
|
|
offset += 16;
|
|
|
|
hdr.server_boot = dcerpc_tvb_get_ntohl (tvb, offset, hdr.drep);
|
|
|
|
offset += 4;
|
|
|
|
hdr.if_ver = dcerpc_tvb_get_ntohl (tvb, offset, hdr.drep);
|
|
|
|
offset += 4;
|
|
|
|
hdr.seqnum = dcerpc_tvb_get_ntohl (tvb, offset, hdr.drep);
|
|
|
|
offset += 4;
|
|
|
|
hdr.opnum = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.ihint = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.ahint = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.frag_len = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.frag_num = dcerpc_tvb_get_ntohs (tvb, offset, hdr.drep);
|
|
|
|
offset += 2;
|
|
|
|
hdr.auth_proto = tvb_get_guint8 (tvb, offset++);
|
|
|
|
hdr.serial_lo = tvb_get_guint8 (tvb, offset++);
|
|
|
|
|
2001-03-18 02:13:33 +00:00
|
|
|
if (tree) {
|
|
|
|
ti = proto_tree_add_item (tree, proto_dcerpc, tvb, 0, tvb_length(tvb), FALSE);
|
|
|
|
if (ti) {
|
|
|
|
dcerpc_tree = proto_item_add_subtree(ti, ett_dcerpc);
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
offset = 0;
|
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_ver, tvb, offset++, 1, hdr.rpc_ver);
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_packet_type, tvb, offset++, 1, hdr.ptype);
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
tf = proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_flags1, tvb, offset, 1, hdr.flags1);
|
2001-03-18 02:13:33 +00:00
|
|
|
dg_flags1_tree = proto_item_add_subtree (tf, ett_dcerpc_dg_flags1);
|
|
|
|
if (dg_flags1_tree) {
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_01, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_last_frag, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_frag, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_nofack, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_maybe, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_idempotent, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_broadcast, tvb, offset, 1, hdr.flags1);
|
|
|
|
proto_tree_add_boolean (dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_80, tvb, offset, 1, hdr.flags1);
|
2001-03-18 02:13:33 +00:00
|
|
|
}
|
|
|
|
offset++;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
tf = proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_flags2, tvb, offset, 1, hdr.flags2);
|
2001-03-18 02:13:33 +00:00
|
|
|
dg_flags2_tree = proto_item_add_subtree (tf, ett_dcerpc_dg_flags2);
|
|
|
|
if (dg_flags2_tree) {
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_01, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_cancel_pending, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_04, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_08, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_10, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_20, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_40, tvb, offset, 1, hdr.flags2);
|
|
|
|
proto_tree_add_boolean (dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_80, tvb, offset, 1, hdr.flags2);
|
2001-03-18 02:13:33 +00:00
|
|
|
}
|
|
|
|
offset++;
|
|
|
|
|
2001-10-05 20:25:41 +00:00
|
|
|
tf = proto_tree_add_bytes (dcerpc_tree, hf_dcerpc_drep, tvb, offset, sizeof (hdr.drep), hdr.drep);
|
|
|
|
drep_tree = proto_item_add_subtree (tf, ett_dcerpc_drep);
|
|
|
|
if (drep_tree) {
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, hdr.drep[0] >> 4);
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_character, tvb, offset, 1, hdr.drep[0] & 0x0f);
|
|
|
|
proto_tree_add_uint(drep_tree, hf_dcerpc_drep_fp, tvb, offset+1, 1, hdr.drep[1]);
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
offset += sizeof (hdr.drep);
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_serial_hi, tvb, offset++, 1, hdr.serial_hi);
|
2001-03-18 02:13:33 +00:00
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_obj_id, tvb,
|
2001-03-18 02:13:33 +00:00
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Object: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.obj_id.Data1, hdr.obj_id.Data2, hdr.obj_id.Data3,
|
|
|
|
hdr.obj_id.Data4[0],
|
|
|
|
hdr.obj_id.Data4[1],
|
|
|
|
hdr.obj_id.Data4[2],
|
|
|
|
hdr.obj_id.Data4[3],
|
|
|
|
hdr.obj_id.Data4[4],
|
|
|
|
hdr.obj_id.Data4[5],
|
|
|
|
hdr.obj_id.Data4[6],
|
|
|
|
hdr.obj_id.Data4[7]);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_dg_if_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Interface: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.if_id.Data1, hdr.if_id.Data2, hdr.if_id.Data3,
|
|
|
|
hdr.if_id.Data4[0],
|
|
|
|
hdr.if_id.Data4[1],
|
|
|
|
hdr.if_id.Data4[2],
|
|
|
|
hdr.if_id.Data4[3],
|
|
|
|
hdr.if_id.Data4[4],
|
|
|
|
hdr.if_id.Data4[5],
|
|
|
|
hdr.if_id.Data4[6],
|
|
|
|
hdr.if_id.Data4[7]);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
proto_tree_add_string_format (dcerpc_tree, hf_dcerpc_dg_act_id, tvb,
|
|
|
|
offset, 16, "HMMM",
|
|
|
|
"Activity: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
2001-04-19 23:39:27 +00:00
|
|
|
hdr.act_id.Data1, hdr.act_id.Data2, hdr.act_id.Data3,
|
|
|
|
hdr.act_id.Data4[0],
|
|
|
|
hdr.act_id.Data4[1],
|
|
|
|
hdr.act_id.Data4[2],
|
|
|
|
hdr.act_id.Data4[3],
|
|
|
|
hdr.act_id.Data4[4],
|
|
|
|
hdr.act_id.Data4[5],
|
|
|
|
hdr.act_id.Data4[6],
|
|
|
|
hdr.act_id.Data4[7]);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 16;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_server_boot, tvb, offset, 4, hdr.server_boot);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_if_ver, tvb, offset, 4, hdr.if_ver);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_seqnum, tvb, offset, 4, hdr.seqnum);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_opnum, tvb, offset, 2, hdr.opnum);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_ihint, tvb, offset, 2, hdr.ihint);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_ahint, tvb, offset, 2, hdr.ahint);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_frag_len, tvb, offset, 2, hdr.frag_len);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_frag_num, tvb, offset, 2, hdr.frag_num);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_auth_proto, tvb, offset, 1, hdr.auth_proto);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset++;
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
proto_tree_add_uint (dcerpc_tree, hf_dcerpc_dg_serial_lo, tvb, offset, 1, hdr.serial_lo);
|
2001-03-18 02:13:33 +00:00
|
|
|
offset++;
|
|
|
|
}
|
2001-07-11 01:25:45 +00:00
|
|
|
/*
|
|
|
|
* keeping track of the conversation shouldn't really be necessary
|
|
|
|
* for connectionless packets, because everything we need to know
|
|
|
|
* to dissect is in the header for each packet. Unfortunately,
|
|
|
|
* Microsoft's implementation is buggy and often puts the
|
|
|
|
* completely wrong if_id in the header. go figure. So, keep
|
|
|
|
* track of the seqnum and use that if possible. Note: that's not
|
|
|
|
* completely correct. It should really be done based on both the
|
|
|
|
* activity_id and seqnum. I haven't seen anywhere that it would
|
|
|
|
* make a difference, but for future reference...
|
|
|
|
*/
|
|
|
|
conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
|
|
|
if (!conv) {
|
|
|
|
conv = conversation_new (&pinfo->src, &pinfo->dst, pinfo->ptype,
|
2001-09-03 10:33:12 +00:00
|
|
|
pinfo->srcport, pinfo->destport, 0);
|
2001-07-11 01:25:45 +00:00
|
|
|
}
|
|
|
|
|
2001-04-19 23:39:27 +00:00
|
|
|
/*
|
|
|
|
* Packet type specific stuff is next.
|
|
|
|
*/
|
2001-07-11 01:25:45 +00:00
|
|
|
switch (hdr.ptype) {
|
|
|
|
case PDU_REQ:
|
|
|
|
dcerpc_call_add_map (hdr.seqnum, conv, hdr.opnum,
|
|
|
|
hdr.if_ver, &hdr.if_id);
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
dcerpc_try_handoff (pinfo, tree, dcerpc_tree, tvb, offset,
|
2001-07-11 01:25:45 +00:00
|
|
|
&hdr.if_id, hdr.if_ver, hdr.opnum, TRUE);
|
|
|
|
break;
|
|
|
|
case PDU_RESP:
|
|
|
|
{
|
|
|
|
dcerpc_call_value *v = dcerpc_call_lookup (hdr.seqnum, conv);
|
|
|
|
if (v) {
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
dcerpc_try_handoff (pinfo, tree, dcerpc_tree, tvb, offset,
|
2001-07-11 01:25:45 +00:00
|
|
|
&v->uuid, v->ver, v->opnum, FALSE);
|
|
|
|
} else {
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
dcerpc_try_handoff (pinfo, tree, dcerpc_tree, tvb, offset,
|
2001-07-11 01:25:45 +00:00
|
|
|
&hdr.if_id, hdr.if_ver, hdr.opnum, FALSE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2001-04-19 23:39:27 +00:00
|
|
|
|
2001-03-18 02:13:33 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2001-07-11 01:25:45 +00:00
|
|
|
static void
|
|
|
|
dcerpc_init_protocol (void)
|
|
|
|
{
|
|
|
|
if (dcerpc_convs)
|
|
|
|
g_hash_table_destroy (dcerpc_convs);
|
|
|
|
if (dcerpc_calls)
|
|
|
|
g_hash_table_destroy (dcerpc_calls);
|
|
|
|
if (dcerpc_conv_key_chunk)
|
|
|
|
g_mem_chunk_destroy (dcerpc_conv_key_chunk);
|
|
|
|
if (dcerpc_conv_value_chunk)
|
|
|
|
g_mem_chunk_destroy (dcerpc_conv_value_chunk);
|
|
|
|
if (dcerpc_call_key_chunk)
|
|
|
|
g_mem_chunk_destroy (dcerpc_call_key_chunk);
|
|
|
|
if (dcerpc_call_value_chunk)
|
|
|
|
g_mem_chunk_destroy (dcerpc_call_value_chunk);
|
|
|
|
|
|
|
|
dcerpc_convs = g_hash_table_new (dcerpc_conv_hash, dcerpc_conv_equal);
|
|
|
|
dcerpc_calls = g_hash_table_new (dcerpc_call_hash, dcerpc_call_equal);
|
|
|
|
dcerpc_conv_key_chunk = g_mem_chunk_new ("dcerpc_conv_key_chunk",
|
|
|
|
sizeof (dcerpc_conv_key),
|
|
|
|
200 * sizeof (dcerpc_conv_key),
|
|
|
|
G_ALLOC_ONLY);
|
|
|
|
dcerpc_conv_value_chunk = g_mem_chunk_new ("dcerpc_conv_value_chunk",
|
|
|
|
sizeof (dcerpc_conv_value),
|
|
|
|
200 * sizeof (dcerpc_conv_value),
|
|
|
|
G_ALLOC_ONLY);
|
|
|
|
dcerpc_call_key_chunk = g_mem_chunk_new ("dcerpc_call_key_chunk",
|
|
|
|
sizeof (dcerpc_call_key),
|
|
|
|
200 * sizeof (dcerpc_call_key),
|
|
|
|
G_ALLOC_ONLY);
|
|
|
|
dcerpc_call_value_chunk = g_mem_chunk_new ("dcerpc_call_value_chunk",
|
|
|
|
sizeof (dcerpc_call_value),
|
|
|
|
200 * sizeof (dcerpc_call_value),
|
|
|
|
G_ALLOC_ONLY);
|
|
|
|
}
|
2001-03-18 02:13:33 +00:00
|
|
|
|
|
|
|
void
|
2001-07-11 01:25:45 +00:00
|
|
|
proto_register_dcerpc (void)
|
2001-03-18 02:13:33 +00:00
|
|
|
{
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
{ &hf_dcerpc_ver,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Version", "dcerpc.ver", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_ver_minor,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Version (minor)", "dcerpc.ver_minor", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_packet_type,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Packet type", "dcerpc.pkt_type", FT_UINT8, BASE_HEX, VALS (pckt_vals), 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Packet Flags", "dcerpc.cn_flags", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_first_frag,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "First Frag", "dcerpc.cn_flags.first_frag", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x1, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_last_frag,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Last Frag", "dcerpc.cn_flags.last_frag", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x2, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_cancel_pending,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Cancel Pending", "dcerpc.cn_flags.cancel_pending", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x4, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_reserved,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.cn_flags.reserved", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x8, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_mpx,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Multiplex", "dcerpc.cn_flags.mpx", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x10, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_dne,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Did Not Execute", "dcerpc.cn_flags.dne", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x20, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_maybe,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Maybe", "dcerpc.cn_flags.maybe", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x40, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_flags_object,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Object", "dcerpc.cn_flags.object", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x80, "", HFILL }},
|
2001-10-05 20:25:41 +00:00
|
|
|
{ &hf_dcerpc_drep,
|
|
|
|
{ "Data Representation", "dcerpc.drep", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_drep_byteorder,
|
|
|
|
{ "Byte order", "dcerpc.drep.byteorder", FT_UINT8, BASE_DEC, VALS (drep_byteorder_vals), 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_drep_character,
|
|
|
|
{ "Character", "dcerpc.drep.character", FT_UINT8, BASE_DEC, VALS (drep_character_vals), 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_drep_fp,
|
|
|
|
{ "Floating-point", "dcerpc.drep.fp", FT_UINT8, BASE_DEC, VALS (drep_fp_vals), 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_frag_len,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Frag Length", "dcerpc.cn_frag_len", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_auth_len,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Auth Length", "dcerpc.cn_auth_len", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_cn_call_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Call ID", "dcerpc.cn_call_id", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_max_xmit,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Max Xmit Frag", "dcerpc.cn_max_xmit", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_max_recv,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Max Recv Frag", "dcerpc.cn_max_recv", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_assoc_group,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Assoc Group", "dcerpc.cn_assoc_group", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_num_ctx_items,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Num Ctx Items", "dcerpc.cn_num_ctx_items", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_ctx_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Context ID", "dcerpc.cn_ctx_id", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_num_trans_items,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Num Trans Items", "dcerpc.cn_num_trans_items", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_bind_if_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Interface UUID", "dcerpc.cn_bind_to_uuid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_bind_if_ver,
|
2001-07-11 01:25:45 +00:00
|
|
|
{ "Interface Ver", "dcerpc.cn_bind_if_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_cn_bind_if_ver_minor,
|
|
|
|
{ "Interface Ver Minor", "dcerpc.cn_bind_if_ver_minor", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_bind_trans_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Transfer Syntax", "dcerpc.cn_bind_trans_id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_bind_trans_ver,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Syntax ver", "dcerpc.cn_bind_trans_ver", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_alloc_hint,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Alloc hint", "dcerpc.cn_alloc_hint", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_sec_addr_len,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Scndry Addr len", "dcerpc.cn_sec_addr_len", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_num_results,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Num results", "dcerpc.cn_num_results", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_ack_result,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Ack result", "dcerpc.cn_ack_result", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_cn_ack_reason,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Ack reason", "dcerpc.cn_ack_reason", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
For requests and responses for unknown interfaces, put an entry into the
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
2001-09-30 21:56:24 +00:00
|
|
|
{ &hf_dcerpc_cn_ack_trans_id,
|
|
|
|
{ "Transfer Syntax", "dcerpc.cn_ack_trans_id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_cn_ack_trans_ver,
|
|
|
|
{ "Syntax ver", "dcerpc.cn_ack_trans_ver", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-07-11 01:25:45 +00:00
|
|
|
{ &hf_dcerpc_cn_cancel_count,
|
|
|
|
{ "Cancel count", "dcerpc.cn_cancel_count", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-09-28 22:43:57 +00:00
|
|
|
{ &hf_dcerpc_auth_type,
|
|
|
|
{ "Auth type", "dcerpc.auth_type", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_auth_level,
|
|
|
|
{ "Auth level", "dcerpc.auth_level", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_auth_pad_len,
|
|
|
|
{ "Auth pad len", "dcerpc.auth_pad_len", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_auth_rsrvd,
|
|
|
|
{ "Auth Rsrvd", "dcerpc.auth_rsrvd", FT_UINT8, BASE_DEC, NULL, 0x0, "", HFILL }},
|
|
|
|
{ &hf_dcerpc_auth_ctx_id,
|
|
|
|
{ "Auth Context ID", "dcerpc.auth_ctx_id", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Flags1", "dcerpc.dg_flags1", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_rsrvd_01,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags1_rsrvd_01", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x01, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_last_frag,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Last Fragment", "dcerpc.dg_flags1_last_frag", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x02, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_frag,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Fragment", "dcerpc.dg_flags1_frag", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x04, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_nofack,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "No Fack", "dcerpc.dg_flags1_nofack", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x08, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_maybe,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Maybe", "dcerpc.dg_flags1_maybe", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x10, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_idempotent,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Idempotent", "dcerpc.dg_flags1_idempotent", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x20, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_broadcast,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Broadcast", "dcerpc.dg_flags1_broadcast", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x40, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags1_rsrvd_80,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags1_rsrvd_80", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x80, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Flags2", "dcerpc.dg_flags2", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_01,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_01", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x01, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_cancel_pending,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Cancel Pending", "dcerpc.dg_flags2_cancel_pending", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x02, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_04,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_04", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x04, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_08,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_08", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x08, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_10,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_10", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x10, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_20,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_20", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x20, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_40,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_40", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x40, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_flags2_rsrvd_80,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Reserved", "dcerpc.dg_flags2_rsrvd_80", FT_BOOLEAN, 8, TFS (&flags_set_truth), 0x80, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_serial_lo,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Serial Low", "dcerpc.dg_serial_lo", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_serial_hi,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Serial High", "dcerpc.dg_serial_hi", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_ahint,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Activity Hint", "dcerpc.dg_ahint", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_ihint,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Interface Hint", "dcerpc.dg_ihint", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_frag_len,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Fragment len", "dcerpc.dg_frag_len", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_frag_num,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Fragment num", "dcerpc.dg_frag_num", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_auth_proto,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Auth proto", "dcerpc.dg_auth_proto", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_seqnum,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Sequence num", "dcerpc.dg_seqnum", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_server_boot,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Server boot time", "dcerpc.dg_server_boot", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_if_ver,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Interface Ver", "dcerpc.dg_if_ver", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_obj_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Object", "dcerpc.obj_id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_if_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Interface", "dcerpc.dg_if_id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
{ &hf_dcerpc_dg_act_id,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Activitiy", "dcerpc.dg_act_id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
2001-04-19 23:39:27 +00:00
|
|
|
{ &hf_dcerpc_opnum,
|
2001-06-18 02:18:27 +00:00
|
|
|
{ "Opnum", "dcerpc.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
|
2001-03-18 02:13:33 +00:00
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_dcerpc,
|
|
|
|
&ett_dcerpc_cn_flags,
|
2001-10-05 20:25:41 +00:00
|
|
|
&ett_dcerpc_drep,
|
2001-03-18 02:13:33 +00:00
|
|
|
&ett_dcerpc_dg_flags1,
|
|
|
|
&ett_dcerpc_dg_flags2,
|
|
|
|
};
|
|
|
|
|
|
|
|
proto_dcerpc = proto_register_protocol ("DCE RPC", "DCERPC", "dcerpc");
|
|
|
|
proto_register_field_array (proto_dcerpc, hf, array_length (hf));
|
|
|
|
proto_register_subtree_array (ett, array_length (ett));
|
2001-07-11 01:25:45 +00:00
|
|
|
register_init_routine (dcerpc_init_protocol);
|
|
|
|
|
|
|
|
dcerpc_uuids = g_hash_table_new (dcerpc_uuid_hash, dcerpc_uuid_equal);
|
2001-03-18 02:13:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2001-07-11 01:25:45 +00:00
|
|
|
proto_reg_handoff_dcerpc (void)
|
2001-03-18 02:13:33 +00:00
|
|
|
{
|
|
|
|
heur_dissector_add ("tcp", dissect_dcerpc_cn, proto_dcerpc);
|
2001-09-28 22:43:57 +00:00
|
|
|
heur_dissector_add ("netbios", dissect_dcerpc_cn, proto_dcerpc);
|
2001-03-18 02:13:33 +00:00
|
|
|
heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc);
|
|
|
|
}
|